We're running fw-1 3.0b on Solaris 2.6. Patches and service packs should be
up-to-date within a few months. Had a glitch show up last night that I don't
recall catching before.
A few minutes before midnight, we run "$BINDIR/fw logswitch
$LOGDIR/${DATE}.log" to start a new log file. The renamed log file for the
previous day is processed using "$BINDIR/fw logexport -n -i
$LOGDIR/${DATE}.log -o $LOGDIR/${DATE}.export.ip". The exported file is used
for subsequent processing.
The glitch is in the order of fields in the exported file. I've included
only the header line (emphasis is mine), but the log data is consistent with
the header line, in each file.
For 21Aug, the export correctly yields:
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;SRC;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
I have rerun the export against the switched file and the results are the
same.
For 22Aug, the export incorrectly yields:
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;dst;service;s_po
rt;len;rule;SRC;icmp-type;icmp-code;sys_msgs
Note the relative positions of the "src" field. This too is the same when
rerun from the switched file.
For 23Aug, using the fw.log file in use, the export correctly yields:
num;date;time;orig;type;action;alert;i/f_name;i/f_dir;proto;SRC;dst;service;
s_port;len;rule;icmp-type;icmp-code;sys_msgs
I ran this only once, but will get another look at it tomorrow morning after
fw.log is switched by the cron job.
Since the export is consistent with subsequent runs from the same switched
log file, the problem appears to be within the switched log file, not with
the export process.
So.
Exercise for the student:
:-}>
What causes this, especially since it seems to have happened on only one day
and was miraculously fixed the next? Extra credit: Is there a configuration
file (or whatever) in which the field order is set, or is this cast in steel
from the getgo? I'm wondering if a field order file (or whatever) was missed
that night and a default order was used instead...
Thanks for any help...
Chuck Sterling
System/Network Administrator
NASA White Sands Test Facility
Magic is REAL, unless declared INTEGER.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
